Most companies have informal risk discussions in meetings. You know the type – “What happens if our lead developer leaves?” or “What if this big deal doesn’t close?”. These conversations usually end without any real action plan and you find yourself talking about the same risks over and over again.
That’s where ISO 31000 comes in. It’s not just another framework for large enterprises, even though many small companies think it is. Instead, it’s a practical approach that can help any organization systematically manage risks and opportunities to achieve their business goals.
Watch this video to see how to implement ISO 31000 organizational risk management in Jira with a real-world example.
What Makes ISO 31000 Different from Other Risk Management Approaches
ISO 31000 is an international standard that provides a framework for risk management. Unlike other standards, it doesn’t require external certification or give you a rigid checklist to follow. Instead, it offers principles and guidelines that any organization can adapt to their specific needs.
The key difference? ISO 31000 expands risk management beyond just avoiding threats. It includes identifying, managing, and leveraging opportunities that help achieve your business objectives.
The standard defines risk as “effect of uncertainty on objectives,” which covers both negative risks (threats) and positive risks (opportunities).
The Seven-Step ISO 31000 Risk Management Process
The ISO 31000 framework includes a structured seven-step process:
Step 1: Define Strategic Objectives
Start by writing down your most important business objectives. These become the anchor against which all risks and opportunities are evaluated.
You can’t determine if something is actually a risk or opportunity until you analyse its relationship with the identified objectives.
Step 2: Risk & Opportunity Identification
Identify events, conditions and uncertainties that could either negatively impact the achievement of your objectives (risks/threats) or positively impact achieving your business goals (opportunities/positive risks).
Every risk or opportunity must connect to at least one business objective.
Steps 3-4: Risk/Opportunity Analysis and Evaluation
Rate each risk and opportunity based on likelihood and impact.
Based on the rating, you will have a risk or opportunity score that helps prioritize which ones need immediate attention.
Step 5: Risk Treatment & Opportunity Enablement
Decide and implement actions that either mitigate negative risks or enable positive opportunities. This is where you move from planning to actual execution.
Step 6: Monitoring and Review Risks and Opportunities
This step ensures your risk management doesn’t become a static document gathering dust.
You’re doing two things here: monitoring individual risks/opportunities and improving the risk management process itself. The process must grow with your organization and reflect changes in your business environment.
Step 7: Communication and Consultation
Integrate risk management into decision making and embed risk analysis into all planning processes – project planning, business cases, budget proposals, everything.
Include risk reviews in meetings at different organizational levels. This ensures risk management becomes everyone’s responsibility, not just the risk manager’s job.
Keep stakeholders informed and involved throughout the process. This maintains awareness and ensures buy-in across the organization.
Why Small Organizations Need ISO 31000
Many small companies dismiss ISO 31000 as “too complex” or “only for large organizations.” But here’s the reality: if you’re having those informal risk discussions in meetings, you’re already doing risk management – just without structure.
The problem is that without a systematic approach:
- No one takes ownership of risks
- Nobody tracks them with timelines
- There are no follow-up actions
- You keep discussing the same issues in every meeting
- When risks actually occur, they surprise you (even though you’ve talked about them for months)
A structured approach gives you clarity, helps prioritize limited resources and prevents those unpleasant repetitive surprises that derail your business.
Real-World Example: Implementing ISO 31000 in Jira
A small Atlassian marketplace app vendor located in the EU with 20 employees, fully remote, growing fast wants to move from constant firefighting mode to a more strategic business planning mode.
Their Business Objectives were the following:
- Reach $1 million ARR in 18 months
- Expand into North America
- Retain customers and reduce churn
- Achieve ISO 27001 certification
- Maintain near-100% SLA
The Atlassian app vendor implemented the ISO 31000 framework in Jira Cloud in the following 6 steps with the SoftComply Risk Manager Plus app.
Step 1: Create Jira Issue Types for Risks and Opportunities
First, the app vendor set up two Jira issue types: “Risk” and “Opportunity.”
This allowed both Risks and Opportunities to have their own workflow, assigned owners and separate risk models assigned to them in Jira.
Step 2: Build Risk and Opportunity Heatmaps & Registers
Next, the company created two 4×4 assessment matrices (heatmaps), one for risks and the other for opportunities.
Risk Matrix:
Opportunities Matrix:
For opportunities, impact levels ranged from minimal business effect to transformational outcomes. Likelihood levels measured how achievable the opportunity is given the resources and market conditions of the app vendor.
For risks, they used the standard impact (negligible to critical) and likelihood (improbable to probable) scale. High-scoring items in either category get priority attention.
In the Risk Manager Plus table view, the app vendor set up two tabs with the following fields:
- Organizational Risks: Description, linked objective, department, owner, impact, likelihood, risk score, mitigation actions
- Opportunities: Description, linked objective, impact, likelihood, opportunity score, enabling actions
Step 3: Identify Risks & Opportunities and Link them to Objectives
Next, the app vendor analysed the possible scenarios that could hinder the achievement of their identified business objectives as well as the positive events that would help reach their business goals.
Risks they identified (and linked to business objectives they impact):
- Financial: Revenue drops because app marketplace ranking falls (impacts reaching the desired ARR)
- Compliance: ISO 27001 audit fails due to missing controls (may hinder achieving the ISO 27001 certificate)
- Operational: AWS outage causes customer churn and SLA violations (negatively impacts the goal to retain customers)
- Human Resources: Lead developer quits (impacts multiple objectives)
Opportunities they identified (and linked to business objectives they enable):
- Integrate with Atlassian’s Isolated Cloud (enables expansion to North America)
- Build direct partner sales channel (to reach $1M ARR target)
- Automate customer onboarding (to improve retention)
- Publicly showcase ISO 27001 journey (to gain customer trust)
Step 4: Assess Risks and Opportunities
Each identified risk and opportunity was then assessed using the defined criteria.
The app automatically calculated scores and highlights high-priority items that need immediate action.
Step 5: Describe and Implement Treatment or Enabling Actions
For high-scoring risks, the app vendor implemented mitigation actions like diversifying marketing channels, improving app store reviews and building mailing lists to keep in touch with their clients.
For high-value opportunities, they focused on enabling actions like joining the beta program of Atlassian Isolated Cloud and establishing thought leadership content in their blog posts.
Step 6: Report & Track Progress
The app vendor used the risk dashboard to monitor their risk portfolio.
They could see at a glance how many high-priority risks needed their attention and which opportunities they should be pursuing next.
The Business Impact: Moving from Reactive to Strategic Risk Management
Companies like the Atlassian app vendor described above that implement systematic risk management see measurable improvements:
- Reduced Firefighting: Fewer “surprise” problems that derail projects and budgets,
- Better Resource Allocation: Clear priorities for where to invest time and money,
- Improved Decision Making: Risk assessment becomes part of every planning discussion,
- Faster Growth: Systematic opportunity identification and enablement,
- Team Confidence: Everyone knows what could go wrong and what the plan is when it does.
According to a Deloitte’s Global Risk Management Survey, organizations with mature risk management practices see 30% fewer operational disruptions and are 66% were more likely to achieve their objectives.
Getting Started: Your Next Steps
Don’t try to build the perfect system on day one. Start with your most obvious risks and opportunities, then expand the process as it proves valuable.
Week 1: Define 3-5 key business objectives,
Week 2: Identify 5-10 risks and opportunities linked to those objectives,
Week 3: Set up basic tracking in your existing workflow tool,
Week 4: Assign owners and create first round of action plans.
The goal isn’t perfection – it’s progress. A simple system that people actually use beats a sophisticated one that sits ignored.
Ready to see how this works in practice? Watch the full implementation walkthrough above or schedule a demo to see how the SoftComply Risk Manager Plus can help you move beyond crisis mode into strategic growth. You can also explore our complete product page to understand all the features that help teams implement effective risk management.
Your team will thank you for taking control of risks before they take control of your business. As many risk and resilience experts emphasize, risk management is no longer just about avoiding negative events – it’s about creating a resilient organization that can thrive in uncertainty.
